N a vig a ting the SBOM l a ndsc a pe: Form a ts, relev a nce, a nd tooling in 2024 Viktor Petersson vpetersson.com 

$ who a mi 

Wh a t a re SBOMs? 

Why now? 

Wh a t a re SBOMs used for? 

An a lysis Coll a bor a tion Gener a tion 

Gener a tion 

The e a sy w a y. Kind a . 

The form a t w a r 

from 

from 

The tools 

Generic 

Dom a in speci f ic tools 

Completeness & enrichment 

Tr a nsitive vs. prim a ry dependencies 

No content

Source vs. Build vs. Run 

But w a it...there's more 

Product SBOM Project SBOM(s) Component SBOM(s) Smart Thermostat Backend IoT Device Python SBOM Node SBOM Docker SBOM Rust SBOM Project SBOM Project SBOM 

But wh a t a bout security? 

Coll a bor a tion 

H a ndling SBOMs tod a y feels like m a n a ging source code in the 90s, with p a tches sent over em a il. 

Vendor 1 sbomify Vendor 2 Vendor 3 Buyer 1 Buyer 2 Buyer 3 SBOM(s) SBOM(s) SBOM(s) Compliance Audit Security Audit License Audit 

An a lysis 

No content

Big Picture 

Product SBOM Project SBOM(s) Component SBOM(s) Smart Thermostat Backend IoT Device Python SBOM Node SBOM Docker SBOM Rust SBOM Project SBOM Project SBOM 

OBOM CBOM SaaSBOM HBOM ML-BOM VEX Product SBOM Smart Thermostat 

St a te of SBOMs 

No content

No content

No content

Q & A 

More re a ding • NTIA Minimum Elements • Fr a ming Softw a re Component Tr a nsp a rency: Est a blishing a Common Softw a re Bill of M a teri a ls (SBOM) (2nd edition) • 3nd edition is rele a sed shortly • SBOM Resources • CISA Working Group: SBOM Gener a tion • Sh a meless self plug: sbomify • Slides will be a v a il a ble on vpetersson.com/ a bout Sc a n for deep dive!